Suramya's Blog : Welcome to my crazy life…

September 28, 2023

Bing thinks that windows command line is bad enough to require directing people to suicide prevention hotline

Filed under: Humor — Suramya @ 4:25 PM

Windows Command line setup is bad enough that Bing suggests calling suicide prevention hotline when someone searches for how to kill a process from the windows commandline.


Bing suggests calling suicide prevention hotline when users ask how to kill a process from the commandline in windows.

This is what you get when you have a hard coded list of ‘trigger words’ for displaying a help card. I think they are checking for the keyword ‘kill’ and just displaying the message without looking at the context of the rest of the search query. I tried searching for it myself and I got a similar response but with the Indian hotline numbers.


Same search in Bing from India gives the Indian hotline numbers

– Suramya

September 27, 2023

CERN has an OnlyFans page

Filed under: Humor,My Thoughts — Suramya @ 1:48 AM

Apparently CERN has an onlyfans Page which they call ‘The Fantilator Page’ and it is impressive.


Example pic from the page with 46 fans (and 2 power supplies)

Check it out if you have a few mins to kill

– Suramya

September 26, 2023

Updates on the Blog’s federated presence and name change

Filed under: My Thoughts,Website Updates — Suramya @ 2:54 PM

As I had talked about in a previous post, this blog is a part of the Fediverse and all posts here get published to the Fediverse automatically. This means that you could search for @suramya@www.suramya.com on mastodon and find all my blog posts. I enabled this back in July and all was working well till yesterday which is when I noticed that my most recent post wasn’t pushed out to Mastodon.

I couldn’t figure out why so I created an issue over on the wordpress-activitypub github site highlighting the issue. I have to say I was extremely impressed with the quality of the support given for what is essentially a free plugin. I opened the ticket and 6 minutes later I had a response from Matthias Pfefferle who is the creator of the plugin and within 2 hours there was a code change warning people about this issue (more later in the blog).

It turns out that I had used a username that was previously an author-name for the blog in the settings and due to this:

the URL https://mastodon.social/@suramya@www.suramya.com redirects to https://www.suramya.com/blog/author/suramya-2/ but it should redirect to https://www.suramya.com/blog/@suramya. This is because Mastodon caches Profiles for quite some time, so all the signatures and IDs of the blog user, does not match the user, Mastodon has in the cache and so it will decline your post.

The recommendation is to not use author names for the blog, because it could mess up a lot of things due to caching. The fix is to either wait for the cache on the server to expire or use a different name for the blog-user. I decided to change the configuration so that the posts are now being pushed out as @blog to the fediverse and it looks like things are mostly back to normal. There is a rendering issue on Mastodon where it uses the HTML entity code in the blog’s name but that is a minor issue.

Another cool feature with the updated plugin is that all future blog posts will be publicly searchable on Mastodon (due to the way the Activitypub protocol works previous posts are not republished).

Well this is all for now. Will write more later.

– Suramya

September 25, 2023

Bank starts spamming about loan offer even before sending welcome kit

Filed under: My Thoughts — Suramya @ 1:52 PM

If you have a bank account in India, you will be familiar with the daily Spam messages you get from them about their loan services etc. HDFC sends about 3-4 messages a day not just via email but over Whatsapp too. It had gotten to the point where I ended up blocking their number to stop the spam. Same with Citibank and other banks.

But the best is yet to come, I opened a new bank account at a different bank and I have not yet received my welcome kit. However, I have started receiving emails offering me “8.45%* exclusive home loan starting rate”. This is after I specifically selected that I don’t want to receive messages about their offerings etc.

I think I will just create a filter to move all these messages to the spam folder automatically, otherwise it gets annoying to receive so many useless messages.

– Suramya

PS: Not naming the bank because I don’t like people knowing where I have accounts 🙂

September 20, 2023

No it is not romantic behavior to pretend to be a recruiter on LinkedIn to get a girls phone number

Filed under: My Thoughts — Suramya @ 1:26 PM

If you think pretending to be a recruiter on LinkedIn to get a phone number is a reasonable way to talk to a lady then you need to get professional help ASAP. See the screenshot below that came up in one of my feeds on Mastodon (I think).


Messaging on LinkedIn as a recruiter to get phone numbers

Can folks not understand how messed up/creepy this looks? It is bad enough that people keep messaging on there as if they are on a dating site and not a professional network, but this is next level of messed up. Even worse is the real life example that Shelly shares in the screenshot where the guy actually setup/borrowed a physical office to talk to this girl.

A lot of this is due to movies and TV shows romanticizing borderline stalker behavior. Earlier this week I was watching a show where this guy liked a girl who worked at the library and this guys asks her out for dinner. The girl says no and the guy asks her out everyday for the next few months till she gives in and says yes and this was shown as a positive thing in the show because the guys father did the same thing to his mother. Actually, he was worse because he stalked her for years before she said yes for the first date… There are numerous such instances that I can quote, in fact it is bad enough to the point that some shows actually make fun of it. I remember a line for a show that I was watching where this girl told another guy to not follow the examples of romantic behavior as shown in movies to show his affection to another girl because that is creepy/stalker behavior. Then the whole Alpha male/Pickup Artists/Incel groups make it even worse as they share these tactics as a sure shot way to hook up with women.

If you thought about using these or similar techniques then please rethink as they are not as romantic as you might think they are.

– Suramya

September 7, 2023

Youtube2Webpage: Create Websites with Text from Videos

In my last post, I had talked about preferring text content to videos and coincidentally my Hacker News feed happened to cover a tool that takes a video link and creates a webpage with a transcript generated from the video’s closed captions paired with screenshots of the video. The program is called Youtube-to-Webpage. It is a Perl script that uses yt-dlp & ffmpeg to do the processing.

I tried it out using the curl video I talked about in the previous command as the input and the software did a decent job capturing the details. The output is very plain and looks like the following:

Transcription of Curl Training video
Transcription of Curl Training video

Since the program uses the built-in YouTube captions for getting the text from the video, the transcription is only as good as how good the captions are. One enhancement, that could make it better is to use a Speech-to-Text engine and use that text in the output. The slightly tricky part would be to match the screenshots with the audio/transcription timestamps.

Check it out if you prefer to read text instead of videos. I wonder how the output would look if we feed this to a LLM and ask it to make it like an article. That can be something we can explore for the next post 🙂

– Suramya

September 6, 2023

Mastering curl using an interactive text guide

Filed under: Knowledgebase,Linux/Unix Related,My Thoughts — Suramya @ 10:09 PM

Curl is a program that has slowly percolated across the entire internet and in places where you wouldn’t believe. Folks have found it installed in inverters, it is running in outerspace etc. I mostly used to use wget earlier because my needs were quite simple and usually I just wanted to download a page or file from a website, then as I started working on more advanced use cases I found that curl was more powerful and versatile than wget, so I use curl more than wget now. (for the most part).

The curl command is extremely versatile and has over 250 commandline options, even seasoned users don’t know what all the tool can do so Daniel Stenberg who is the author of curl created a 3.5 hours long video on how to master curl. While the video is really useful and goes in depth, I personally don’t like to watch video tutorials. Instead I prefer to read text based tutorials as I read quite fast and can also search for specific stuff in a text tutorial which is not really possible in a video (at least not easily).

So, I was quite pleased to find that Anton Zhiyanov had taken the effort to create a text version of the video for future reference and as a cherry on top they even made the whole thing interactive so that you can try out the commands directly from the website and see how they would work.

Do check out the tutorial if you want to learn more about curl and how to use it more efficiently.

– Suramya

September 5, 2023

Invalid Flight plan submission to UK National Air Traffic Services causes multi-day chaos

Filed under: My Thoughts,Tech Related — Suramya @ 6:50 PM

One of the cardinal rules in computers is to “never trust the input” or put another way: “Never trust user input”. If you ever wondered what would happen if this wasn’t followed here’s a real world example that happened late last month (28th Aug) where almost every flights to and from the UK were delayed or cancelled after their air traffic control systems went down.

An analysis of the crash found that a French airline had filed a flight path in the wrong format to the National Air Traffic Services (NATS) and instead of rejecting the plan because it was in an invalid format as it should have done the entire system went down hard. This is a basic programming principle and I am not sure why their testing didn’t catch this massive vulnerability. Basically, it looks like anyone with access to file a flight plan can crash the entire NATS just by submitting a flight plan in the wrong format.

Apparently it is expected behavior as per NATS chief executive Martin Rolfe, who said that both Primary AND Backup systems responded to the incorrect flight data by suspending automatic processing “to ensure that no incorrect safety-related information could be presented to an air traffic controller or impact the rest of the air traffic system”

Nats chief executive, Martin Rolfe, told BBC Radio 4’s Today programme: “It wasn’t an entire system failure. It was a piece of the system, an important piece of the system.

“But in those circumstances, if we receive an unusual piece of data that we don’t recognise, it is critically important that that information – which could be erroneous – is not passed to air traffic controllers.”

Mr Rolfe said Nats has “safety-critical systems” and “throwing data away needs to be very carefully considered”.

To me it is unbelievable that anyone thought that crashing both the Primary and Backup systems was preferable to throwing away an invalid flight plan.

Sources:

– Suramya

September 4, 2023

Mashing Enter can allow you bypass full disk encryption in certain scenarios

Filed under: Computer Security,Linux/Unix Related,My Thoughts — Suramya @ 12:30 PM

When folks think about hacking and people bypassing secure systems they have this mental image of folks writing complex code or physically reading the data byte by byte but that is not always true. Sometimes, it is as simple as just keeping the enter key pressed while the system is booting up. Yes, you read that right. A few days ago a vulnerability was found in a TPM-protected system that is configured to implement unattended unlocking for LUKS full disk encryption using RedHat’s Clevis and dracut software along with systemd.

Generally, a Linux computer using TPM-protected unattended disk encryption will still allow a user to view the output of the boot process and optionally manually enter a decryption password with the keyboard. This allows for situations where the computer fails to boot and needs someone to troubleshoot the startup process. While the unattended TPM unlocking is taking place, the user is still presented with the password prompt and an opportunity to enter input.

There’s a limited window of time before the TPM will unlock the disk and the boot process will proceed automatically to the login prompt, so how can we effectively fuzz this input opportunity? What if we could type faster than a human being? Using an Atmel ATMEGA32U4 microcontroller (such as you’d find in an Arduino Leonardo development board) we can emulate a keyboard that sends virtual keypresses at essentially the maximum rate that the computer will accept. The following short Arduino program sets up a Leonardo as a keyboard emulator:

#include "Keyboard.h"
void setup() {
delay(1000);
Keyboard.begin();
}
void loop() {
Keyboard.press(KEY_RETURN);
delay(10);
Keyboard.releaseAll();
delay(10);
}

One second after being plugged in this program begins to simulate pressing the Enter key on a virtual keyboard every 10 milliseconds. This is about 10x faster than the usual keyboard repeat rate you’d get simply holding down a key, and Linux seems to recognise around 70 characters per second using this method, or one keypress approximately every 15 milliseconds.

Sending keypresses this fast quickly hits the maximum number of password entry retries, while keeping the system from unlocking the disk automatically due to password guess rate limiting, and systemd eventually gives up trying to unlock the disk. It takes a minute or two but the recovery action in this failure scenario is to give us a root shell in the early boot environment

The simplest way to address the most immediate problem: Add rd.shell=0 and rd.emergency=reboot to the kernel command line. This ensures that if anything fails during the early boot process the computer will reboot immediately rather than dropping into a root shell.

However, this goes to show us that the old statement about security is still absolutely valid: “Physical access is root access. You can’t spend thousands on protecting the cyber threat landscape and ignore physical security such that people can just walk up to your computer and stick things inside. That being said, having a physical security program doesn’t necessarily protect your from an insider threat so that is also something to keep in mind.

Source: Pulsesecurity: Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

– Suramya

September 3, 2023

Aditya-L1 Mission is a successful launch

Filed under: Astronomy / Space,My Thoughts — Suramya @ 11:59 PM

The Aditya-L1 was launched successfully on Saturday and inserted into orbit as per the plan. This is India’s first mission to study the Sun, and is a natural next step (if you think about it) after a successful moon mission. The planned duration of the mission is 5.2 years.

Was talking to Jani yesterday and she asked what the L1 point was, and I had just assumed everyone knew what it was because I knew it. But then I realized that this is not common knowledge though more people are learning about it thanks to the coverage of the Aditya-L1 mission. Basically, the definition is as below:

Lagrange points are positions in space where objects sent there tend to stay put. At Lagrange points, the gravitational pull of two large masses precisely equals the centripetal force required for a small object to move with them. These points in space can be used by spacecraft to reduce fuel consumption needed to remain in position.

To put in a simpler way, this is a place between the Earth and Sun where the gravitational pull of the sun is cancelled by the gravitational pull of the Earth. There are multiple such points around the solar system. The L1 point is approximately 1.5 million km away from Earth (about 1% of the Earth-Sun distance)

Visual depiction of Lagrange Points
Visual depiction of Lagrange Points, curtsy of ISRO

The Indian space program is shining because of their two back to back missions where very few other countries have succeeded in the past, so obviously we have folks in the western media claiming that the Chandrayaan-3 mission was faked and lots of editorials where ‘experts’ talk about how India should focus on feeding its poor instead of the space program. These folks need to take a closer look at their own countries and the state of their poor & the state of their infra instead of lecturing India.

That being said, not everyone responded in a racist way, plenty of publications covered the mission and were complementary about how much India has achieved in the past few years. Ars Technica did a pretty indepth and balanced walk through of India’s space programs and how it ranks against the other global powers.

Also, to those who from the UK who are asking for their ‘aid money’ back (which was actually investment money being shown as aid money), you are more than welcome to ask for it back after you pay back all the money the British Raj looted from India, and have returned all the stolen treasures being showcased in the British museum. Actually, why don’t we do this: deduct the money you claim to have sent for aid and then return the rest and then we can talk. Till then we will keep ignoring you.

Jai Hind.

– Suramya

Powered by WordPress